Summary of the invention
The object of the present invention is to provide a kind of voidable Identity based encryption methods on lattice based on accumulator, solve
Private key for user leakage existing in the prior art is difficult to the problem of resisting quantum attack.
The technical scheme adopted by the invention is that the voidable Identity based encryption method on lattice based on accumulator,
It is specifically implemented according to the following steps:
Step 1, system are established;
Step 2, private key generate;
Step 3, more new key generate;
Step 4, decruption key generate;
Step 5, encryption;
Step 6, decryption;
Step 7, revocation.
The features of the present invention also characterized in that
Step 1 is specifically implemented according to the following steps:
The sum of step (1.1), the maximum number of input security parameter λ and user and time cycle number N, enables user
IdentityHerePeriod
Definition φ is one-to-one mappingParameter m=is arranged in φ (id)=d, φ (t)=l, d, l ∈ { 1 ..., N }
2nlog q,
Step (1.2) uses the trapdoor generating algorithm TrapGen (q, n) based on lattice, generation one random uniform n × m
Tie up matrixAndBaseMeet
Step (1.3) chooses 4 random homogeneous matrixAnd 2n-1 random homogeneous matrixOne n-dimensional vector of random uniform design
Step (1.4), the set for enabling U indicate that the index for all elements being added in accumulator is constituted, but need not
It to be included in current accumulator, enableAccumulator original state is setState
Revocation list RL is initially set to sky, exports common parameter and master key:
Step 2 is specifically implemented according to the following steps:
Step (2.1), input common parameter PP, master key MK, identity id, state STU, V is enabled to indicate in current accumulator
The set that the index of all elements is constituted, thereforeGiven i=φ (id) ∈ [n];
Step (2.2), first calculating matrix
Here mark | | indicate cascaded operational;
Step (2.3), sampling vectorMeet distribution simultaneouslyUse private keyIt crosses
Journey is as follows:
Evidence
Step (2.4), update accumulator and state are as follows:
AccV∪{i}=AccV+Bi
STU∪{i}={ U ∪ { i }, B1,…,Bn}
Step (2.5), samplingMeetWherein H
It is the mapping of full rank difference, enables Fid:=(A0||A1+H(id)C1), Fid·eid=u existsOn, eidIt is generally evenly distributed in
On, mark here | | indicate cascaded operational;
Step (2.6), output private key
Definition set VwIt indicates to work as evidence wiIt is created, includes the element in accumulator, therefore, VwFor each user
It is fixed, and it is the subset of U, key authority is private key SKidWith set VWTo user.
Step 3 is specifically implemented according to the following steps:
Step (3.1), deletion and a upper time period t ' relevant l '=φ (t ') from set V;
Step (3.2), deleted from set V it is all in RL correspond to time period t ' j=φ (id);
Step (3.3) updates accumulator, i.e., for updated set V,
Step 4 is specifically implemented according to the following steps:
Step (4.1), user detect at following 4 points:
(a), i=φ (id), l=φ (t) ∈ V,
(b)、
(c), it calculatesIt detects whether
I.e.
(d), w is verifiedlWhether meet
Step (4.2) if, the above-mentioned one of failure of 4 verifyings, decruption key generates output termination, otherwise, solution
Key replaces current accumulator with newest accumulator, then more fresh evidence and to calculate latest decrypted key as follows:
If i ∈ V, andIt calculates:
Otherwise eventually
Only, decruption key DK is setid,t=(eid,wi′)。
Step 5 is specifically implemented according to the following steps:
Step (5.1), given message M, the newest accumulator Acc comprising current timeV;
Step (5.2) enables
Here mark | | indicate cascaded operational;
Step (5.3), random uniform designRandom uniform design dimension of m m matrix
Select noisy vectorWithAnd it is arranged
Step (5.4) enablesIt exports close
Text
Step 6 is specifically implemented according to the following steps:
Step (6.1), input common parameter PP, decruption key DKid,tWith ciphertext CTid,t=(c0,c1,c2);
Step (6.2) calculates
Step (6.3), compare w andIf1 is then exported, otherwise, output 0.
Step 7 is specially:
If i=φ (id) ∈ STU, then (id, t) is added to revocation list RL.
The invention has the advantages that the voidable Identity based encryption method on lattice based on accumulator, is based on lattice
Quantum attack, and computational efficiency with higher can be resisted, selects identity security, and more new key of the invention is big
Small is constant, and the present invention is added to user identity revocation mechanism, can effectively realize the Identity Management of user, entire to guarantee
The safety of encryption system.
Specific embodiment
The present invention is described in detail With reference to embodiment.
Voidable Identity based encryption method on lattice of the present invention based on accumulator, it is specifically real according to the following steps
It applies:
Step 1, system are established:
It is specifically implemented according to the following steps:
The sum of step (1.1), the maximum number of input security parameter λ and user and time cycle number N, enables user
IdentityHerePeriod
Definition φ is one-to-one mappingParameter m=is arranged in φ (id)=d, φ (t)=l, d, l ∈ { 1 ..., N }
2nlog q,
Step (1.2) uses the trapdoor generating algorithm TrapGen (q, n) based on lattice, generation one random uniform n × m
Tie up matrixAndBaseMeet
Step (1.3) chooses 4 random homogeneous matrixAnd 2n-1 random homogeneous matrixOne n-dimensional vector of random uniform design
Step (1.4), the set for enabling U indicate that the index for all elements being added in accumulator is constituted, but need not
It to be included in current accumulator, enableAccumulator original state is setState
Revocation list RL is initially set to sky, exports common parameter and master key:
Step 2, private key generate:
It is specifically implemented according to the following steps:
Step (2.1), input common parameter PP, master key MK, identity id, state STU, V is enabled to indicate in current accumulator
The set that the index of all elements is constituted, thereforeGiven i=φ (id) ∈ [n];
Step (2.2), first calculating matrix
Here mark | | indicate cascaded operational;
Step (2.3), sampling vectorMeet distribution simultaneouslyUse private keyIt crosses
Journey is as follows:
Evidence
Step (2.4), update accumulator and state are as follows:
AccV∪{i}=AccV+Bi
STU∪{i}={ U ∪ { i }, B1,…,Bn}
Step (2.5), samplingMeetWherein H is
The mapping of full rank difference, enables Fid:=(A0||A1+H(id)C1), Fid·eid=u existsOn, eidIt is generally evenly distributed inOn,
Here mark | | indicate cascaded operational;
Step (2.6), output private key
Definition set VwIt indicates to work as evidence wiIt is created, includes the element in accumulator, therefore, VwFor each user
It is fixed, and it is the subset of U, key authority is private key SKidWith set VWTo user;
Step 3, more new key generate:
It is specifically implemented according to the following steps:
Step (3.1), deletion and a upper time period t ' relevant l '=φ (t ') from set V;
Step (3.2), deleted from set V it is all in RL correspond to time period t ' j=φ (id);
Step (3.3) updates accumulator, i.e., for updated set V,
Step 4, decruption key generate:
It is specifically implemented according to the following steps:
Step (4.1), user detect at following 4 points:
(a), i=φ (id), l=φ (t) ∈ V,
(b)、
(c), it calculatesIt detects whetherI.e.
(d), w is finally verifiedlWhether detect
Step (4.2) if, the above-mentioned one of failure of 4 verifyings, decruption key generates output termination, otherwise, solution
Key replaces current accumulator with newest accumulator, then more fresh evidence and to calculate latest decrypted key as follows:
If i ∈ V, andIt calculates:
Otherwise eventually
Only, decruption key DK is setid,t=(eid,wi′);
Step 5, encryption:
It is specifically implemented according to the following steps:
Step (5.1), given message M, the newest accumulator Acc comprising current timeV;
Step (5.2) enables
Here mark | | indicate cascaded operational
Step (5.3), random uniform designRandom uniform design dimension of m m matrix2
Select noisy vectorWithAnd it is arranged
Step (5.4) enablesIt exports close
Text
Step 6, decryption:
It is specifically implemented according to the following steps:
Step (6.1), input common parameter PP, decruption key DKid,tWith ciphertext CTid,t=(c0,c1,c2);
Step (6.2) calculates
Step (6.3), compare w andIf1 is then exported, otherwise, output 0;
Step 7, revocation:
Specially:
If i=φ (id) ∈ STU, then (id, t) is added to revocation list RL.
The safety of the voidable Identity based encryption method on lattice of the present invention based on accumulator is divided below
Analysis:
(1), correctness proof:
Correctness derivation process of the invention is as follows:
Theorem:Error term in above-mentioned correctness proofBoundary be
It proves:In order to prove the boundary of error term, e is enabledid=(eid,1|eid,2), wi'=(wi,1′,wi,2') whereinIt is obtained by left sampling algorithm:It is obtained by Gauss sampling algorithm:Then
Using lemma 1, lemma 1 is described as follows:
Lemma 1:Enabling e isIn vector,Then | eTY | value be integer in [0, q-1], and with can not
The probability ignored meets
Error term is defined as
The boundary of above-mentioned error term is
In order to guarantee the correctness of scheme, pass through setting parameter q, n, m, σ, α, it is ensured that error term is less than q/5, in scheme
Parameter estimation procedure it is as follows:
(a) error term is less than q/5, that is to say, that
(b) trapdoor generating algorithm need to meet m > 2nlogq,
(c) for left sampling algorithm and Gauss sampling algorithm, σ to be ensured of it is sufficiently large, i.e.,
(d) process is about subtracted according to scholar Regev, parameter needs to meet
In order to meet above-mentioned requirement, setting parameter is as follows:
(a) m=2nlogq,
(b)
(c) noise parameter
(d) modulus q is a prime number and meets
(2), Security Proof:
Theorem:RIBE is broken through with advantage ε > 0 at IND-sID-CPA if there is a probabilistic polynomial time algorithm A
Scheme, then existing probability polynomial time algorithm B is determined with the advantage of εProblem.
It proves:If opponent A breaks through scheme with the advantage that can not ignore, challenger B can determine by opponent AProblem.Proof procedure is carried out between a series of game, first game and security model
In IND-sID-CPA game it is identical, in the last one game, the advantage A of opponent is 0, as long as prove a probability it is multinomial
Formula time opponent A cannot distinguish between any two game, that is, demonstrates opponent and win original IND- with insignificant advantage
SID-CPA game.
Game 0:The security model of the game is the safety of chosen -plain attact and the undistinguishable under selection identity attack
Model (IND-sID-CPA).Challenger B selects n+4 random matrixIt generates
Common parameter PP and master key MK.In the challenge stage, challenger generates challenge ciphertext CT*.It enablesFor i=
1,2, indicate creation ciphertext CT*When 2 of short duration random matrixes using.
Game 1:In game 1, challenger, which changes, generates common parameter matrix A1,A2Mode, enable (id*,t*) it is that A is wanted
The identity time pair of challenge, φ (id*)=i*,φ(t*)=l*, challenger B is in establishment stage selection random matrix
And structural matrix A1,A2It is as follows:
Remaining parameter constant in game.It noticesBe selected in advance in establishment stage, and
And about challenge identity id*With challenge time t*Knowledge be unwanted.
Lemma 2:Assuming that m > (n+1) logq+w (logn), q is prime number.It enablesIt is uniform design, enabling R is m
The matrix of × m dimension, in { -1,1 }m×mThe upper uniform design of modq.Then, for all vectorsDistribution (A, AR,
RTIt w) is counted close to distribution (A, B, RTW).
By using lemma 2, it was demonstrated that game 0 and game 1 are undistinguishables.Observation is in game 1, matrixOnly it is used only for structural matrix A1,A2And construction challenge ciphertext CT*In the error vector usedBy using lemma 3, it is distributed (A0,A0R1 *,z1) and (A0,C1′,z1) it is that statistics is close,
It is distributed (A0,A0R2 *,z2) and (A0,C2′,z1) it is that statistics is close, wherein C1′,C2' beOn uniformly random matrix.Cause
This, from the perspective of opponent, matrix A0Ri *It is close to uniformly, and independently of z, so A defined above1,A2It is to connect
It is bordering on uniform.Therefore, A1,A2It is undistinguishable in game 1 and game 2.
Game 2:In game 2, we change the selection mode for changing u in parameter, and challenger generates id=id*,t
=t*Corresponding private key and more new key is as follows:
In order to about subtract conveniently, opponent is divided into two types by we:
Class1:Opponent selects inquiry challenge identity id*Private key, but id*In t*It has been revoked before moment.
Type 2:Opponent is not at any time to challenge identity id*Private key inquired.
If that challenger faces is the opponent in the first seed type, generateAnd
And enable u ← Fid·eid, then enable Wherein l=
φ (t), i=φ (id).Because of id*In inquiry t*It has been cancelled before more new key, it is known that in newest accumulator,
Without id*Record.Challenger uses (eid,wi) as about id*Private key inquiry answer, with (wl) as about challenge
Time t*Update key challenge answer.
If that challenger faces is the opponent of second of type, generateWherein
L=φ (t).Because of id*Private key be never asked, challenger use (wl) as about challenge time t*Update key challenge
Answer.
Known by lemma 1, above-mentioned eid,wi,wlBe fromUpper sampling, it is counted close in true schemeParticularly, Wo Menyou BecauseIt can regard asBe the matrix randomly selected, known by lemma 2, u be statistics close toOn uniformly point
Cloth.Therefore, that opponent cannot distinguish between challenger's simulation is which type of opponent, and is hadProbability simulation correctly swim
Play.Therefore, if correct game is modeled, game 1 and game 2 are undistinguishables.
Game 3:Now, challenger changes the A in game 20,C1,C2Selection mode, in game 3, generator matrix A0
It is oneOn random matrix, and generator matrix C1,C2It is to meet C using TrapGen algorithm1,C2It isOn with
Machine matrix, and challenger possessesTrapdoorWithTrapdoorFor matrix A1,A2Construction and trip
It is the same in play 1.
In order to answer the inquiry of private key and more new key, wherein id ≠ id*,t≠t*, we use trapdoorTo replace
TrapdoorIt enables
Because of [H (id)-H (id*)] andIt is nonsingular, so, trapdoorIt is alsoCorresponding trapdoor, wherein
Present challenger answers all id ≠ id*Private key inquiry it is as follows:
Wherein φ (id)=i.
Present challenger answers all t ≠ t*Update key challenge it is as follows:
Wherein φ (t)=l.
Because the σ used in encryption system is the part e in private key that is sufficiently large, simulatingidIt is that statistics is close
InwiBe statistics close toSimulate the part w for the more new key comelBe statistics close to
Challenger answers id*Private key inquiry and t*Update key challenge as being in game 2.Otherwise game 3 and trip
Play 2 is the same.In game 3, in order to answer private key inquiry and update key challenge, the matrix A of construction0,C1,C2It is statistics
Close to the original matrix in game 2, therefore, opponent is at most insignificant different from excellent in game 2 in the advantage in game 3
Gesture, that is to say, that game 2 and game 3 are undistinguishables.
Game 4:Game 4 is the same as game 3, in addition to challenging ciphertext (c0 *,c1 *,c2 *) beOn with
The element that machine is chosen.Because challenging the ciphertext always new random element in the cryptogram space, the opponent in this game
Advantage be 0.Staying for task proves that game 3 and game 4 are computationally indistinguishables, is asked by using a LWE
The specification of topic.
The specification of Learn with Error (LWE) problem:Assuming that opponent has the advantage that can not ignore to distinguish 3 He of game
Game 4 is constructed a LWE algorithm by using opponent, is denoted as B.The example for looking back LWE problem is foretold by a sampling
What machine O was provided, it is the prophesy machine O of completely random that the prophesy is confidential$It or is the pseudorandom oracle machine O with noises.Challenger
B distinguishes two game using opponent, and process is as follows:
Instantiation:B inquires prophesy machine O, is answered.For i=0 ..., m, a new pairIt builds
It is vertical:The common parameter PP that B constructs system is as follows:
1, it using m example of the LWE problem previously provided, enablesI-th column be in LWE problem example n dimension
Vector ui, for i=1 ..., m.
2, specifying the 0th sampling of LWE example becomes random n-dimensional vector
3, the residual term for constructing common parameter, that is, be exactly A1,A2,C1,C2Construction as in game 3, by using
id*,t*,
4, common parameter PP=(A is sent0,A1,A2,C1,C2,B1,…,Bn) give opponent.
Inquiry:Challenger answers private key inquiry as in game 3 and updates key challenge.
Challenge:When opponent provides a message bit b*∈ { 0,1 }, construction one corresponds to target (id*,t*) challenge
Ciphertext is as follows:
1, v is enabled0,…,vmIt is the component from LWE example, setting
2, message bit is blinded, order is passed through
3, it enables
4, a random bit r ∈ { 0,1 } is selected to send ciphertext if r=0To opponent, such as
Fruit r=0 then sends a random ciphertextTo opponent.
Next it discusses, when LWE prophesy machine is pseudorandom oracle machine, i.e. O=Os, then have CT*Distribution and game
Distribution in 3 is consistent.It is obtained firstly, we observe
Secondly, passing through OsDefinition, it is known thatFor some random noise vectorsIt is distributed in
Therefore, it defines in step 3Meet
It and is the c that ciphertext is effectively challenged in game 3 on the right of equation1, c2Part.We also noted thatThis is precisely the c that ciphertext is challenged in game 30Part.
Work as O=O$, v0It is generally evenly distributed inOn, v*It is generally evenly distributed inOn.Therefore, fixed in above-mentioned steps 3
JusticeIt is uniform and is independently distributed It is uniform and is independently distributed
Therefore, challenge ciphertext is always generally evenly distributed inOn as in game 4.
Conjecture:Allow to carry out additional inquiry later, opponent guesses.If opponent wins game, challenger is borrowed
Opponent is helped to solve the problems, such as that LWE questions and argues repeatedly.
Our mistakes by discussion, work as O=O$, the angle of opponent works as O=O as game 4s, the angle and game 3 of opponent
Equally.Therefore, the advantage and opponent for solving the challenger of LWE problem are distinguished as game 3 with the advantage of game 4 is.This is just
The description of algorithm B is completed, and completes our proof.